Wednesday, February 17, 2010

Google AdSense Code Vulnerability

If you’re a publisher who uses Google AdSense to monetize your site, you may notice how easy it is to paste in your AdSense code onto your webpage’s code. These few lines of javascript then lets Google “sense” the content of the page the code is in, and publish the relevant and applicable ads according to context.

However, what you won’t notice at first is how insecure this is. Your AdSense code is up there for anyone to see as soon as a reader uses his browser’s View Source functionality. And the most important part of this code is your publisher ID.

google-adsense-vulnerability.png

In theory, anyone who can see this code can just paste in your own AdSense code into their own sites and do all sorts of malicious stuff with your account. For one, they can simulate clickfraud by loading up their page with your ads in it, and keep on clicking the ads. You might end up being suspended or banned from AdSense because of this. Even if you can contest the suspension, the few days or weeks’ time without AdSense might hit you hard in terms of lost revenue.

A malicious user can also paste your ad code on a website in violation of the AdSense terms of service, such as on an adult site or a site that distributes pirated content.

Google has not yet enforced measures to protect legitimate publishers against possible defrauding through these ways. Some good methods we think worth considering are banning based on URLs and not AdSense publisher ID, and even hiding the publisher ID itself from being public viewable.

For now, it pays to be vigilant in monitoring your ad performance and behavior. If you think you’re getting too much, or if you find other sites using your publisher ID (you can do a Google search for that line of text), then it’s time to get in touch with the Google AdSense team for help.

No comments:

Post a Comment